CN104506513B - Fire wall flow table backup method, fire wall and firewall system - Google Patents

Fire wall flow table backup method, fire wall and firewall system Download PDF

Info

Publication number
CN104506513B
CN104506513B CN201410784814.9A CN201410784814A CN104506513B CN 104506513 B CN104506513 B CN 104506513B CN 201410784814 A CN201410784814 A CN 201410784814A CN 104506513 B CN104506513 B CN 104506513B
Authority
CN
China
Prior art keywords
message
message flow
flow
nat
firewall
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410784814.9A
Other languages
Chinese (zh)
Other versions
CN104506513A (en
Inventor
陈旭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Star Net Ruijie Networks Co Ltd
Original Assignee
Beijing Star Net Ruijie Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Star Net Ruijie Networks Co Ltd filed Critical Beijing Star Net Ruijie Networks Co Ltd
Priority to CN201410784814.9A priority Critical patent/CN104506513B/en
Publication of CN104506513A publication Critical patent/CN104506513A/en
Application granted granted Critical
Publication of CN104506513B publication Critical patent/CN104506513B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1036Load balancing of requests to servers for services different from user content provisioning, e.g. load balancing across domain name servers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of fire wall flow table backup method, fire wall and firewall system.Fire wall flow table backup method provided by the invention, system is interior to be included being operated under network address translation NAT mode and hot standby each other master firewall and slave firewall, and method includes:The master firewall E-Packet stream first message when, obtain the flow table of the message flow and NAT link informations;The flow table of the message flow and NAT link informations are sent to the slave firewall by the master firewall, so that the slave firewall forwards the non-first message of the message flow according to the flow table and NAT link informations of the message flow.The present invention can prevent fire wall from service disconnection occurs when carrying out flow switching.

Description

Fire wall flow table backup method, fire wall and firewall system
Technical field
The present embodiments relate to a kind of network technology more particularly to fire wall flow table backup method, fire wall and fire prevention Wall system.
Background technology
Fire wall is usually made of software and hardware equipment, is deployed between Intranet and outer net, private network and public network, office Between domain net and internet, for protect in-house network, private network either LAN from disabled user invasion or virus, wooden horse Attack.When there is flow to pass through, fire wall can be according to the protocol number of first packet, source network interconnection protocol in session message Forward direction is respectively created in (Internet Protocol, abbreviation IP) address, purpose IP address, source port address, destination interface address With reversed flow table item, subsequent packet can be forwarded to according to positive or reversed flow table item.
At present, under High Availabitity environment, fire wall can take the networking mode of two-node cluster hot backup to work, when wherein When one equipment breaks down, service traffics can automatically switch in another equipment to handle.Its specific method is to pass through A session backup units are realized respectively in first, second equipment for be configured to two-node cluster hot backup relation, according to each session First packet is established session entry and is backed up to counterpart device, and first or second equipment does not match session entry receiving itself During non-first message, by the message transmission to the session entry of counterpart device match query, and the session entry that inquiry is obtained returns It returns and itself carries out backup for message forwarding.
However, under the application scenarios of network address translation (Network Address Translation, abbreviation NAT), After backup session flow table, the nat feature of fire wall can carry out internal private network IP address and outside ip address fire wall Conversion, and expectation privately owned inside the message load generation NAT in control connection in message flow connects;So when according to control When the data connection message made the message load of connection and generated reaches fire wall, fire wall can match expectation connection, with Complete the transmission of message.If message forwards under NAT application scenarios, session entry has only been backed up in itself, and it is expected connection Counterpart device is not backuped to, data connection is may result in and creates failure, corresponding business is also interrupted therewith.
The content of the invention
The present invention provides a kind of fire wall backup method, fire wall and firewall system, to solve to carry out the anti-of NAT business Wall with flues problem of service interruption caused by when carrying out flow switching.
In a first aspect, the present invention provides a kind of fire wall flow table backup method, include being operated in network address turn in system Under NAT mode and hot standby each other master firewall and slave firewall are changed, including:
Master firewall E-Packet stream first message when, obtain the flow table of message flow and NAT link informations;
The flow table of message flow and NAT link informations are sent to slave firewall by master firewall, so that slave firewall is according to report The flow table and NAT link informations of text stream E-Packet the non-first message of stream.
With reference to first aspect, in the first embodiment, NAT link informations include the message length difference letter of message flow Breath, the expectation link information of NAT mode and father and son's stream information, wherein message length difference information are used to determine message in message flow By the transformed transmission control protocol TCP sequence number of NAT mode, it is expected link information for determine by NAT mode conversion The data connection of message flow and generation father and son's stream information, father and son's stream information are used to determine father/sub- message flow of message flow afterwards.
With reference to first aspect with the first embodiment, in second of embodiment, the message length difference of message flow Information is the difference of message flow message length before and after by NAT conversions.
With reference to first aspect with the first embodiment, in the third embodiment, the expectation link information of message flow Comprising message flow by NAT mode conversion before and after data connection port between matching relationship and for generate father and son stream The information of information.
With reference to first aspect with first three embodiment, in the 4th kind of embodiment, master firewall is by the stream of message flow Table and NAT link informations are sent to slave firewall and specifically include:
The flow table of message flow and NAT link informations are sent to slave firewall by master firewall by dedicated link.
Second aspect, the present invention provide a kind of fire wall flow table backup method, include being operated in network address turn in system Under NAT mode and hot standby each other master firewall and slave firewall are changed, including:
Slave firewall receives the flow table of message flow and the NAT link informations that master firewall is sent;
Slave firewall E-Packets the non-first message of stream according to flow table and NAT link informations.
With reference to second aspect, in the first embodiment, the message length difference that NAT link informations include message flow is believed Father and son's stream information of breath, the expectation link information of message flow and message flow;
Slave firewall is specifically included according to the E-Packet non-first message of stream of flow table and NAT link informations:
If message flow connects in order to control, slave firewall reduces message flow according to the message length difference information of message flow Transmission control TCP sequence number is E-Packeted stream according to the Transmission Control Protocol sequence number of message flow according to flow table and in NAT connections Non- first message;
It is data connection if message flow, then slave firewall determines the security strategy and report of message flow according to father and son's stream information The network interconnection Protocol IP address of text stream determines the port match relation of message flow and generation father and son's stream according to expectation link information Information establishes data connection according to the port match relation of flow table, the IP address of message flow and message flow, and the stream that E-Packets Non- first message.
With reference to second aspect and the first embodiment, in second of embodiment, the message length difference of message flow Information is the difference of message flow message length before and after by NAT mode conversion.
With reference to second aspect and the first embodiment, in the third embodiment, the expectation link information of message flow Comprising message flow by NAT mode conversion before and after data connection port matching relationship and for generating father and son's stream information Information.
With reference to second aspect and the first embodiment, in the 4th kind of embodiment, determine to report according to father and son's stream information The security strategy of text stream and the network interconnection Protocol IP address of message flow specifically include:
Really state father/subflow belonging to message flow;
If message flow is subflow, the security strategy flowed according to the father of message flow determines the security strategy of message flow with IP Location.
With reference to second aspect and preceding four kinds of embodiments, in the 5th kind of embodiment, slave firewall receives master firewall The flow table and network address translation NAT link informations of the message flow of transmission specifically include:Slave firewall is received by dedicated link The flow table of message flow and NAT link informations.
The third aspect, the present invention provide a kind of master firewall, and master firewall is operated under network address translation NAT mode, Including:
Acquisition module, in the first message for the stream that E-Packets, obtaining message flow flow table and NAT link informations;
Sending module, for the flow table of message flow and NAT link informations to be sent to slave firewall, so that slave firewall root E-Packet the non-first message of stream according to the flow table and NAT link informations of message flow.
With reference to the third aspect, in the first embodiment, the message length difference that NAT link informations include message flow is believed Breath, the expectation link information of NAT mode and father and son's stream information, wherein message length difference information are used to determine message in message flow By the transformed transmission control protocol TCP sequence numbers of NAT, it is expected link information for determine reported after NAT mode is converted The data connection of text stream and generation father and son's stream information, father and son's stream information are used to determine father/sub- message flow of message flow.
With reference to the third aspect and the first embodiment, in second of embodiment, the message length difference of message flow Information is the difference of message flow message length before and after by NAT conversions.
With reference to the third aspect and the first embodiment, in the third embodiment, the expectation link information of message flow Comprising message flow by NAT mode conversion before and after data connection port between matching relationship and for generate father and son stream The information of information.
With reference to the third aspect and first three embodiment, in the 4th kind of embodiment, sending module is specifically used for:Pass through Message flow flow table and NAT link informations are sent to slave firewall by dedicated link.
Fourth aspect, the present invention provide a kind of slave firewall, and slave firewall is operated under network address translation NAT mode, Including:
Receiving module, for receiving the flow table of message flow and NAT link informations of master firewall transmission,
Packet forwarding module, for the non-first message for the stream that E-Packeted according to flow table and NAT link informations.
With reference to fourth aspect, in the first embodiment, the message length difference that NAT link informations include message flow is believed Father and son's stream information of breath, the expectation link information of message flow and message flow;
Packet forwarding module is specifically used for:
If message flow connects in order to control, the transmission that message flow is reduced according to the message length difference information of message flow controls TCP sequence number, the non-first message for the stream that E-Packets according to flow table and in NAT connections according to the Transmission Control Protocol sequence number of message flow;
If message flow is data connection, the security strategy of message flow and the network of message flow are determined according to father and son's stream information Interconnection protocol IP address determines the port match relation of message flow and generation father and son's stream information according to expectation link information, according to The port match relation of flow table, the IP address of message flow and message flow establishes the data connection, and the non-head for the stream that E-Packets Message.
With reference to fourth aspect and the first embodiment, in second of embodiment, the message length difference of message flow Information is the difference of message flow message length before and after by NAT conversions.
With reference to fourth aspect and the first embodiment, in the third embodiment, the expectation link information of message flow Comprising message flow by NAT mode conversion before and after data connection port matching relationship and for generating father and son's stream information Information.
With reference to fourth aspect and the first embodiment, in the 4th kind of embodiment, packet forwarding module is specifically used for:
Determine father/subflow belonging to message flow;
If message flow is subflow, the security strategy flowed according to the father of message flow determines the security strategy of message flow with IP Location.
With reference to fourth aspect and preceding four kinds of embodiments, in the 5th kind of embodiment, receiving module is specifically used for:Pass through Dedicated link receives the flow table of message flow and NAT link informations.
5th aspect, the present invention provides a kind of firewall system, including a master firewall as described above and at least one A slave firewall as described above carries out the flow table and NAT of message flow by dedicated link between master firewall and slave firewall The transmission of link information.
Fire wall flow table backup method provided by the invention, fire wall and firewall system, master firewall E-Packet stream First message when, obtain the NAT link informations of message flow, then the flow table of message flow and NAT link informations be sent to from fire prevention Wall, the non-first message of stream so that slave firewall E-Packets according to the flow table and NAT link informations of message flow;Slave firewall receives The flow table of message flow and NAT link informations that master firewall is sent, and institute is forwarded according to the flow table and the NAT link informations State the non-first message of message flow.In the case that so fire wall carries out NAT business, the flow switching of principal and subordinate's fire wall is being carried out When, slave firewall can continue to forward remaining non-first message of the message flow according to the flow table and NAT link informations of message flow, with Prevent fire wall from service disconnection occurs when carrying out flow switching.
Description of the drawings
It in order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair Some bright embodiments, for those of ordinary skill in the art, without having to pay creative labor, can be with Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the flow diagram for the fire wall backup method that the embodiment of the present invention one provides;
Fig. 2 is the flow diagram of fire wall backup method provided by Embodiment 2 of the present invention;
Fig. 3 is the flow diagram for the fire wall backup method that the embodiment of the present invention three provides;
The network architecture schematic diagram for the system that the embodiment of the present invention three in Fig. 4 provides;
Fig. 5 is the structure diagram for the master firewall that the embodiment of the present invention four provides;
Fig. 6 is the structure diagram for the slave firewall that the embodiment of the present invention five provides;
Fig. 7 is the structure diagram for the master firewall that the embodiment of the present invention six provides;
Fig. 8 is the structure diagram for the slave firewall that the embodiment of the present invention seven provides;
Fig. 9 is the structure diagram for the firewall system that the embodiment of the present invention eight provides.
Specific embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, the technical solution in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is Part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art All other embodiments obtained without creative efforts belong to the scope of protection of the invention.
Fig. 1 is the flow diagram for the fire wall backup method that the embodiment of the present invention one provides.As shown in Figure 1, this implementation The fire wall backup method that example provides includes:
S101, master firewall E-Packet stream first message when, obtain the flow table of message flow and NAT link informations;
In the present embodiment, the fire wall of two Hot Spares each other is included in system, two fire walls can use master Standby mode (Active-Standby) works, and double host modes (Active-Active) can also be used to work.In active/standby mode Under, flow is only by master firewall, and when master firewall breaks down, flow can be switched to as slave firewall from fire prevention On wall.Under double host modes, flow can be shared onto two fire walls, realize the load balancing of flow, and ought wherein one When fire wall breaks down, the service traffics on the fire wall, which can be switched on an other fire wall, to be handled, wherein, Original fire wall for carrying out business is as master firewall, and the fire wall for taking over master firewall processing business flow is from fire prevention Wall.Fire wall in system can be operated in network address translation (Network Address Translation, abbreviation NAT) Under pattern.
When master firewall receives the first message of message flow and is forwarded to, information of the master firewall according to message flow in itself And configuration information when being forwarded to, it obtains to forward the flow table of the message flow and NAT link informations.Wherein, message flow Flow table include five-tuple information (source IP address, source port address, purpose IP address, destination interface address and the transmission of message Layer protocol number).And NAT link informations include message length difference information, the expectation link information of NAT mode and the father of message flow Sub-stream information.
Specifically, message length difference information is used to determine that message to be by the transformed transmission control of NAT mode in message flow Agreement (Transmission Control Protocol, abbreviation TCP) sequence number processed.When be operated in the fire wall of NAT mode into During row Message processing, the IP address conversion in message can be the NAT components of another IP address, at this time fire wall by fire wall It can modify to the content in message load.Such as carry out File Transfer Protocol (File Transfer Protocol, abbreviation FTP) during business, the NAT components of fire wall can change the content of the PORT orders in control connection message load, so that report The length of text changes.And in Transmission Control Protocol, the TCP sequence number sequence of message is determined by the length of message.Therefore it is anti- Wall with flues is when carrying out message flow forwarding, it is necessary to modify to the TCP sequence number sequence in TCP message, and addition is by NAT The length varying value of message, just can guarantee the TCP sequence number that server end is transmitted in fire wall before and after pattern conversion Sequence is correctly to be worth in the TCP protocol stack of server end.Specifically, directly message length difference information can be set It is set to the difference of message flow message length before and after by NAT mode conversion.
Specifically, it is expected that link information is used to determine the data connection of message flow and generation after NAT mode is converted Father and son's stream information.When being operated in the fire wall progress Message processing of NAT mode, because converting front and rear message by NAT mode IP address is different, causes message flow after being converted by NAT mode, and fire wall needs to establish message flow by NAT mode turn Change the matching relationship between the port of front and rear data connection so that message flow according to the matching relationship network side and fire wall it Between forward.It is that matching of the message flow before and after by NAT mode conversion between the port of data connection is closed it is expected link information System.Still exemplified by carrying out ftp business, when fire wall carries out the message stream process of FTP, the NAT components in fire wall When carrying out NAT conversions to message load, a port is distributed to correspond to the original port of message for it, the message is recorded and flows through The matching relationship between two ports of data connection before and after NAT mode is converted is crossed, and is stored in fire wall NAT components In portion's private data structure, which is the expectation link information of message flow.So when the message of data connection reaches During fire wall, you can according to the matching relationship between the port for the data connection being stored in inside fire wall in private data structure NAT conversions are carried out to data connection, and are sent to network side.When network side is sent as the data connection message responded, prevent Data connection is dealt into correctly by wall with flues further according to the matching relationship of the address and original port address before NAT conversions of back message Client.It is expected the original port numbers that can include data connection in link information and by between NAT conversion rear end slogans Matching relationship, for determine message flow after NAT mode is converted, the original port information of message flow.Specifically, message The expectation link information of stream can be by NAT mode convert front and rear data connection port matching relationship and for generating The information of father and son's stream information.
Specifically, father and son's stream information can be used to determine father/sub- message flow of message flow.When some message flow is by another When message flow derives from, then the two message flows have father and son's flow relation, can utilize father and son entrained in message flow at this time Stream information determines that message is father's stream or subflow and which message flow is father/subflow corresponding to the message flow be.Message exists , it is necessary to be checked by safety service message during being forwarded on fire wall, safety service would generally be according to the peace of father's stream Full strategy detects subflow message, i.e., if the flow that father flows allows to pass through, then the flow of subflow can also allow to pass through;And work as When being sent to message flow shortage father and son's flow relation of fire wall, because the security strategy of subflow is to rely on the safe plan of father's stream Slightly, subflow can be because matching be blocked less than security strategy, so as to which service disconnection phenomenon occur at this time.By taking FTP is downloaded as an example, Control connection is initially set up, and data connection is created according to the TCP load informations of control connection, therefore data connection is subflow, Control connection is father's stream, and it is father and son's flow relation to control the relation between connection and data connection.If allow when user configuration The security strategy that control connection passes through, because the father for being connected as data connection in order to control flows, then safety service can connect according to control The security strategy connect lets off data connection, and the flow of data connection is allowed to pass through.In addition, because data connection connects in order to control Subflow, when found by father and son's flow relation information be used as data connection father stream control connection after, you can obtain control connection In the information such as Internet protocol (Internet Protocol, abbreviation IP) address, and connect according to IP address forwarding data It connects.
The flow table of message flow and NAT link informations are sent to slave firewall by S102, master firewall, so that slave firewall root E-Packet the non-first message of stream according to the flow table and NAT link informations of message flow.
After master firewall obtains the flow table of message flow and NAT link informations, above- mentioned information is sent to by master firewall again Slave firewall, when master firewall breaks down or no longer forwards the message flow because of other reasons, slave firewall can be according to report The flow table and NAT link informations non-first message remaining to message flow of text stream are forwarded to.Specifically, master firewall can pass through The flow table of message flow and NAT link informations are sent to slave firewall by dedicated link, which can be dedicated message Forwarding tunnel or other high-speed links, slave firewall acquisition to be allowed to connect letter with NAT for the flow table for the stream that E-Packets in time Breath.
In the present embodiment, master firewall E-Packet stream first message when, obtain the NAT link informations of message flow, then will The flow table and NAT link informations of message flow are sent to slave firewall, so that slave firewall is connected according to the flow table of message flow with NAT Information E-Packets the non-first message of stream.So fire wall is in the case where carrying out NAT business, when the stream that principal and subordinate's fire wall occurs During amount switching, slave firewall can continue to forward remaining non-first message of the message flow, to prevent fire wall from service disconnection occurs.
Fig. 2 is the flow diagram of fire wall backup method provided by Embodiment 2 of the present invention.As shown in Fig. 2, this implementation The fire wall backup method that example provides includes:
S201, slave firewall receive the flow table of message flow and the NAT link informations that master firewall is sent;
In the present embodiment, the master firewall in system can be operated in network address translation (Network with slave firewall Address Translation, abbreviation NAT) under pattern.Slave firewall can receive the flow table of the message flow of master firewall transmission With NAT link informations.The flow table and NAT link informations are that master firewall is accessed when forwarding the message flow.
Specifically, slave firewall can receive the flow table of message flow and NAT link informations by dedicated link.The Special chain Road can be dedicated message forwarding tunnel or other high-speed links, slave firewall to be allowed to receive what master firewall was sent in time The flow table of message flow and NAT link informations.
S202, slave firewall forward the non-first message of the message flow according to the flow table and the NAT link informations.
Specifically, the flow table of message flow includes five-tuple information (source IP address, source port, purpose IP address, the mesh of message Port and transport layer protocol number), and the expectation of the message length difference information, message flow of NAT link informations including message flow Father and son's stream information of link information and message flow.
Specifically, if message flow connects in order to control, slave firewall is reduced according to the message length difference information of message flow The transmission control TCP sequence number of message flow, forwards according to flow table and according to the Transmission Control Protocol sequence number of message flow in NAT connections The non-first message of message flow;
If message flow is data connection, slave firewall determines the security strategy and message of message flow according to father and son's stream information The network interconnection Protocol IP address of stream determines the port match relation of message flow and generation father and son's stream according to expectation link information Information establishes data connection according to the port match relation of flow table, the IP address of message flow and message flow, and the stream that E-Packets Non- first message.
Further, the security strategy of message flow and IP address are being determined according to father and son's stream information of message flow constantly, it is first First to determine which message flow is father/subflow belonging to message flow be specially;
If message flow is subflow, the security strategy flowed according to the father of message flow determines the security strategy and IP of message flow Address.For example, being father and son's flow relation between control connection and data connection, wherein control is connected as father's stream, data connection is son Stream, if message flow is data connection, it is determined that during the security strategy of data connection, it is necessary to determine the safe plan of control connection Slightly, and according to the security strategy that control connects the security strategy of data connection is determined, to ensure that data connection will not be because of safe plan Slightly and by firewall blocks, and according to the transmission of message in the IP address progress data connection for controlling message in connection.
Further, TCP sequence number is controlled in the transmission that message flow is reduced according to the message length difference information of message flow When, the message length difference information of message flow is the difference of message flow message length before and after by NAT mode conversion.
Further, the expectation link information of message flow can be the end of the data connection before and after by NAT mode conversion The matching relationship of mouth and the information for generating father and son's stream information.
In the present embodiment, slave firewall receives the flow table of message flow and the NAT link informations that master firewall is sent, Ran Hougen E-Packet the non-first message of stream according to flow table and NAT link informations.So fire wall works as hair in the case where carrying out NAT business During the flow switching of raw principal and subordinate's fire wall, slave firewall can continue to forward remaining non-first message of the message flow, to prevent Service disconnection occurs for wall with flues.
Fig. 3 is the flow diagram for the fire wall backup method that the embodiment of the present invention three provides.It present embodiments provides mutually For information interactive process of the hot standby principal and subordinate's fire wall when carrying out flow switching.As shown in figure 3, fire prevention provided in this embodiment Wall backup method includes:
S301, master firewall E-Packet stream first message when, obtain the flow table of message flow and NAT link informations;
By taking the network architecture schematic diagram of system in Fig. 4 as an example.In the present embodiment, two Hot Spares each other are included in system Fire wall, two fire walls both may be employed active/standby mode (Active-Standby) work, and can also use double host sides Formula (Active-Active) works.Under active/standby mode, flow is only by master firewall, when master firewall breaks down, stream Amount can be switched on the slave firewall as slave firewall.Under double host modes, flow can be shared onto two fire walls, real Show the load balancing of flow, and when wherein a fire wall breaks down, the service traffics on the fire wall can switch It is handled on to an other fire wall, wherein, the fire wall of original processing business takes over main fire prevention as master firewall The fire wall of wall processing business flow is slave firewall.Fire wall in system can be operated in network address translation (Network Address Translation, abbreviation NAT) under pattern.
When master firewall receives the first message of message flow and is forwarded to, information of the master firewall according to message flow in itself And configuration information when being forwarded to, it obtains to forward the flow table of the message flow and NAT link informations.Wherein, message flow Flow table include five-tuple information (source IP address, source port, purpose IP address, destination interface and the transport layer protocol of message Number).And the message length difference information, the expectation link information of NAT mode and father and son that NAT link informations include message flow flow letter Breath.
Specifically, message length difference information is used to determine that message to be by the transformed transmission control of NAT mode in message flow Agreement TCP sequence number processed.When the fire wall for being operated in NAT mode carries out Message processing, fire wall can by the IP in message Location is converted to another IP address, and the NAT components of fire wall can modify to the content in message load at this time, so as to report The length of text generates variation.And the TCP sequence number of message is determined by message length, it is therefore desirable to determine to turn by NAT mode The length varying value of front and rear message is changed, to obtain the TCP sequence number of message.
Specifically, it is expected that link information is used to determine the data connection of message flow and generation after NAT mode is converted Father and son's stream information.When being operated in the fire wall progress Message processing of NAT mode, because converting front and rear message by NAT mode IP address and port are different, and causing message flow, fire wall is needed message flow by NAT after being converted by NAT mode The information such as the front and rear port of pattern conversion are stored in fire wall NAT component internals, so that message flow is according to the new message load Connection relation forwarded between network side and fire wall.
Specifically, father and son's stream information can be used to determine father/sub- message flow of message flow.When some message flow is by another When message flow derives from, then the two message flows have father and son's flow relation, can utilize father and son entrained in message flow at this time Stream information determines that message is father's stream or subflow and which message flow is father/subflow corresponding to the message flow be.
By taking the network architecture shown in Fig. 4 carries out ftp business as an example, when the host positioned at Intranet sends message flow, send Message load in the data connection address information that includes be 192.168.1.100:5001, the Port in message load at this time The content of order is Port:192.168.1.100:5001.It is main anti-when message flow carries out NAT conversions by master firewall Wall with flues generates a connection relation 200.1.1.3 according to the address of master firewall and outer net ftp server:20—> 200.1.1.2:16384, wherein 200.1.1.3:20 be outer net ftp server address, 200.1.1.2:16384 are Intranet Address is 192.168.1.100:5001 corresponding public network address and port.The connection relation is by raw inside master firewall Into for determining the connection relation of the message load after NAT mode is converted in message flow.The message sent from intranet host When by master firewall, the Port command contexts in message carrying are by 192.168.1.100:5001 become 200.1.1.2: 16384, at this time the length of message changed, it is therefore desirable to by by NAT mode before and after the processing message length difference remember Record is got off, to reduce the TCP sequence number of message when E-Packeting stream, so as to which message can be reduced correctly when ensureing forwarding.
The flow table of message flow and NAT link informations are sent to slave firewall by S302, master firewall, so that slave firewall root E-Packet the non-first message of stream according to the flow table and NAT link informations of message flow;
After master firewall obtains the flow table of message flow and NAT link informations, above- mentioned information is sent to by master firewall again Slave firewall, when master firewall breaks down or no longer forwards the message flow because of other reasons, slave firewall can be according to report The flow table and NAT link informations non-first message remaining to message flow of text stream are forwarded to.Specifically, master firewall can pass through The flow table of message flow and NAT link informations are sent to slave firewall by dedicated link, which can be dedicated message Forwarding tunnel or other high-speed links, slave firewall acquisition to be allowed to connect letter with NAT for the flow table for the stream that E-Packets in time Breath.
S303, slave firewall receive the flow table of message flow and the NAT link informations that master firewall is sent;
S304, slave firewall forward the non-first message of the message flow according to the flow table and the NAT link informations.
When master firewall no longer forwards above-mentioned message flow, you can change message flow and be forwarded to by slave firewall, carried out Flow handoff procedure.
Specifically, slave firewall in the non-first message for the stream that E-Packeted according to flow table and NAT link informations, it is necessary to according to Control connection and two kinds of situations of data connection are respectively processed in message flow, if message flow connects in order to control, slave firewall The transmission that message flow is reduced according to the message length difference information of message flow controls TCP sequence number, according to flow table and in NAT connections On E-Packet according to the Transmission Control Protocol sequence number of message flow the non-first message of stream;If message flow is data connection, slave firewall The security strategy of message flow and the network interconnection Protocol IP address of message flow are determined according to father and son's stream information, is believed according to it is expected to connect Breath determines the port match relation of message flow and generation father and son's stream information, according to flow table, the IP address of message flow and message flow Port match relation establishes data connection, and the non-first message for the stream that E-Packets.Such as FTP is carried out in the network architecture of Fig. 4 During business, when the message flow that host is sent switches to slave firewall, then slave firewall judges according to father and son's stream information of message flow The IP address of security strategy and the message forwarding of message flow, what is such as carried out is control connection, then according to the message length of message flow The transmission control TCP sequence number of difference information reduction message flow, and according to the forwarding of the flow table item of backup progress message;As carried out Be data connection, slave firewall judges that his father's stream connects in order to control according to father and son's stream information of data connection, then continues to use control The security strategy of connection is made, and the Intranet port 5001 of message flow and outer net port 16384 are obtained according to expectation link information, this When further according to flow table and control that the IP address in connecting obtains IP address that complete correspondence is Intranet and port is 192.168.1.100:Outer net IP address and port corresponding to 5001 are 200.1.1.2:16384, and on this basis, with this The address 200.1.1.3 of outer net address and outer net ftp server:20 communicate, to form complete connection, so as to forward report Remaining message of text stream.
Further, when determining the security strategy of message flow according to father and son's stream information of message flow, first have to determine report Which message flow is father/subflow belonging to text stream be specially;By taking FTP as an example, father's stream is control connection, and subflow is data connection, Data connection is to connect the PORT orders in message load by control to generate.After PORT orders enter NAT components, NAT groups Part will record the flow identifier of current stream (control connection), etc. data connections when reach, will be according to this traffic identifier Symbol finds control connection, forms father and son's flow relation.
If message flow is subflow, the security strategy flowed according to the father of message flow determines the security strategy of message flow.Example Such as, it is father and son's flow relation between control connection and data connection, wherein control is connected as father's stream, data connection is subflow, if Message flow is data connection, it is determined that during the security strategy of data connection, it is necessary to the security strategy of definite control connection, and according to The security strategy of data connection is determined according to the security strategy of control connection, to ensure that data connection will not be because being prevented during security strategy Wall with flues stops.
In the present embodiment, master firewall E-Packet stream first message when, obtain the NAT link informations of message flow, then will The flow table and NAT link informations of message flow are sent to slave firewall, so that slave firewall is connected according to the flow table of message flow with NAT Information E-Packets the non-first message of stream;Slave firewall receives the flow table of message flow and the NAT link informations that master firewall is sent, And the non-first message of the message flow is forwarded according to the flow table and the NAT link informations.So fire wall carries out NAT business In the case of, when carrying out the flow switching of principal and subordinate's fire wall, slave firewall can connect letter with NAT according to the flow table of message flow Breath continues to forward remaining non-first message of the message flow, to prevent fire wall from service disconnection occurs when carrying out flow switching.
Fig. 5 is the structure diagram for the master firewall that the embodiment of the present invention four provides.The master firewall is with being operated in network Under location conversion NAT mode.As shown in figure 5, master firewall 51 provided in this embodiment includes:
Acquisition module 501, in the first message for the stream that E-Packets, obtaining message flow flow table and NAT link informations;
Sending module 502, for the flow table of message flow and NAT link informations to be sent to slave firewall, so that from fire prevention The foot of a wall E-Packets the non-first message of stream according to the flow table and NAT link informations of message flow.
Specifically, sending module 502 can be used for being sent to message flow flow table and NAT link informations by dedicated link Slave firewall.
Specifically, NAT link informations include message length difference information, the expectation link information of NAT mode of message flow With father and son's stream information, wherein message length difference information is used to determine that message to be by the transformed transmission controls of NAT in message flow Agreement TCP sequence number, it is expected link information for determine after NAT mode is converted the data connection of message flow and generate father Sub-stream information, father and son's stream information are used to determine father/sub- message flow of message flow.
Specifically, difference of the message length difference information of message flow for message flow message length before and after by NAT conversions Value.
Specifically, end of the expectation link information of message flow for message flow data connection before and after by NAT mode conversion Matching relationship between mouthful and the information for generating father and son's stream information.
In the present embodiment, the acquisition module in master firewall obtains message flow flow table in the first message for the stream that E-Packets With NAT link informations;The flow table of message flow and NAT link informations are sent to slave firewall by sending module, so that slave firewall E-Packet the non-first message of stream according to the flow table of message flow and NAT link informations.So fire wall is carrying out the feelings of NAT business Under condition, when the flow switching of principal and subordinate's fire wall occurs, slave firewall can continue to forward remaining non-first message of the message flow, To prevent fire wall from service disconnection occurs.
Fig. 6 is the structure diagram for the slave firewall that the embodiment of the present invention five provides.The slave firewall is with being operated in network Under location conversion NAT mode.As shown in fig. 6, slave firewall 61 provided in this embodiment includes:
Receiving module 601, for receiving the flow table of message flow and NAT link informations of master firewall transmission,
Packet forwarding module 602, for the non-first message for the stream that E-Packeted according to flow table and NAT link informations.
Specifically, receiving module 601 is specifically used for receiving the flow table of message flow and NAT link informations by dedicated link.
Packet forwarding module 602 is specifically used for determining father/subflow belonging to message flow;And if message flow is subflow When, the security strategy flowed according to the father of the message flow determines the security strategy of the message flow.
Specifically, the message length difference information of NAT link informations including message flow, the expectation link information of message flow and Father and son's stream information of message flow.Corresponding, packet forwarding module 602 is specifically used for:If message flow connects in order to control, according to report The transmission control TCP sequence number of the message length difference information reduction message flow of text stream, according to flow table and in NAT connections according to The Transmission Control Protocol sequence number of message flow E-Packets the non-first message of stream;If message flow is data connection, according to father and son's stream information It determines the security strategy of message flow and the network interconnection Protocol IP address of message flow, message flow is determined according to expectation link information Port match relation and generation father and son's stream information, build according to the port match relation of flow table, the IP address of message flow and message flow Vertical data connection, and the non-first message for the stream that E-Packets.
Specifically, difference of the message length difference information of message flow for message flow message length before and after by NAT conversions Value.
Specifically, end of the expectation link information of message flow for message flow data connection before and after by NAT mode conversion The matching relationship of mouth and the information for generating father and son's stream information.
In the present embodiment, the receiving module in slave firewall receives the flow table for the message flow that master firewall is sent and NAT connects Connect information, packet forwarding module E-Packets the non-first message of stream according to flow table and NAT link informations.So fire wall is carrying out In the case of NAT business, when the flow switching of principal and subordinate's fire wall occurs, slave firewall can continue to forward its of the message flow Remaining non-first message, to prevent fire wall from service disconnection occurs.
Fig. 7 is the structure diagram for the master firewall that the embodiment of the present invention six provides.Master firewall provided in this embodiment 71 specifically include CPU701, memory 702 and forwarding chip 703 etc., are formed to complete foregoing implementation in forwarding chip 703 The function module of method in example, then machine readable instructions by CPU701 run memories 702, come complete in the above method with The program step corresponding to function module divided, the function of being completed so as to fulfill preceding method.Wherein, in forwarding chip Including function module it is consistent in previous embodiment four, details are not described herein again.
Fig. 8 is the structure diagram for the slave firewall that the embodiment of the present invention seven provides.Slave firewall provided in this embodiment 81 specifically include CPU801, memory 802 and forwarding chip 803 etc., are formed to complete foregoing implementation in forwarding chip 803 The function module of method in example, then machine readable instructions by CPU801 run memories 802, come complete in the above method with The program step corresponding to function module divided, the function of being completed so as to fulfill preceding method.Wherein, in forwarding chip Including function module it is consistent in previous embodiment five, details are not described herein again.
Fig. 9 is the structure diagram for the firewall system that the embodiment of the present invention eight provides.As shown in figure 9, firewall system 91 include a master firewall 901 and at least one slave firewall 902, pass through between master firewall 901 and slave firewall 902 Dedicated link 903 carries out the transmission of the flow table and NAT link informations of message flow.Wherein, master firewall 901 and slave firewall 902 Structure, function and effect can be found in previous embodiment four arrive embodiment seven associated description, details are not described herein.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above-mentioned each method embodiment can lead to The relevant hardware of program instruction is crossed to complete.Foregoing program can be stored in a computer read/write memory medium.The journey Sequence upon execution, execution the step of including above-mentioned each method embodiment;And foregoing storage medium includes:ROM, RAM, magnetic disc or The various media that can store program code such as person's CD.
Finally it should be noted that:The above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extent Pipe is described in detail the present invention with reference to foregoing embodiments, it will be understood by those of ordinary skill in the art that:Its according to Can so modify to the technical solution recorded in foregoing embodiments either to which part or all technical characteristic into Row equivalent substitution;And these modifications or replacement, the essence of appropriate technical solution is not made to depart from various embodiments of the present invention technology The scope of scheme.

Claims (21)

1. a kind of fire wall flow table backup method, system is interior under network address translation NAT mode and hot standby each other including being operated in Master firewall and slave firewall, which is characterized in that including:
The master firewall E-Packet stream first message when, obtain the flow table of the message flow and NAT link informations;
The flow table of the message flow and NAT link informations are sent to the slave firewall by the master firewall so that it is described from Fire wall forwards the non-first message of the message flow according to the flow table and NAT link informations of the message flow;
The NAT link informations include message length difference information, the expectation link information of the NAT mode of the message flow With father and son's stream information, wherein the message length difference information is for determining in the message flow that message passes through the NAT mode Transformed transmission control protocol TCP sequence number, the expectation link information is for the definite institute after NAT mode conversion The data connection of message flow and generation father and son's stream information are stated, father and son's stream information is used to determine father/son of the message flow Message flow.
2. fire wall flow table backup method according to claim 1, which is characterized in that the message length of the message flow is poor Value information is the difference of message flow message length before and after by NAT conversions.
3. fire wall flow table backup method according to claim 1, which is characterized in that the expectation connection letter of the message flow Breath comprising the message flow by the NAT mode conversion before and after data connection port between matching relationship and be used for Generate the information of father and son's stream information.
4. fire wall flow table backup method according to any one of claims 1 to 3, which is characterized in that the master firewall The flow table of the message flow and NAT link informations are sent to slave firewall to specifically include:
The flow table of the message flow and NAT link informations are sent to described from fire prevention by the master firewall by dedicated link Wall.
5. a kind of fire wall flow table backup method, system is interior under network address translation NAT mode and hot standby each other including being operated in Master firewall and slave firewall, which is characterized in that including:
The slave firewall receives the flow table of message flow and the NAT link informations that the master firewall is sent;
The slave firewall forwards the non-first message of the message flow according to the flow table and the NAT link informations;
The NAT link informations include message length difference information, the expectation link information of the message flow of the message flow With father and son's stream information of the message flow.
6. fire wall flow table backup method according to claim 5, which is characterized in that the slave firewall is according to the stream Table and the NAT link informations forward the non-first message of the message flow to specifically include:
If the message flow connects in order to control, the slave firewall is reduced according to the message length difference information of the message flow The transmission control TCP sequence number of the message flow, according to the message flow according to the flow table and in the NAT connections Transmission Control Protocol sequence number forwards the non-first message of the message flow;
If the message flow is data connection, the slave firewall determines the peace of the message flow according to father and son's stream information The complete tactful network interconnection Protocol IP address with the message flow determines the end of the message flow according to the expectation link information Mouth matching relationship and generation father and son's stream information, according to the port of the flow table, the IP address of the message flow and the message flow Matching relationship establishes the data connection, and forwards the non-first message of the message flow.
7. fire wall flow table backup method according to claim 6, which is characterized in that the message length of the message flow is poor Value information is the difference of message flow message length before and after by NAT mode conversion.
8. fire wall flow table backup method according to claim 6, which is characterized in that the expectation connection letter of the message flow Breath comprising the message flow by the NAT mode conversion before and after the data connection port matching relationship and be used for Generate the information of father and son's stream information.
9. fire wall flow table backup method according to claim 6, which is characterized in that described to be determined according to father and son's stream information The security strategy of the message flow and the network interconnection Protocol IP address of the message flow specifically include:
Determine father/subflow belonging to the message flow;
If the message flow is subflow, the security strategy flowed according to the father of the message flow determines the safe plan of the message flow Summary and IP address.
10. according to claim 5-9 any one of them fire wall flow table backup methods, which is characterized in that the slave firewall The flow table and network address translation NAT link informations for receiving the message flow that master firewall is sent specifically include:The slave firewall The flow table of the message flow and NAT link informations are received by dedicated link.
11. a kind of master firewall, the master firewall is operated under network address translation NAT mode, which is characterized in that including:
Acquisition module, in the first message for the stream that E-Packets, obtaining the message flow flow table and NAT link informations;
Sending module, for the flow table of the message flow and NAT link informations to be sent to slave firewall, so that described from fire prevention The foot of a wall forwards the non-first message of the message flow according to the flow table and NAT link informations of the message flow;
Wherein, the NAT link informations include the message length difference information of the message flow, the expectation of the NAT mode connects Information and father and son's stream information are connect, wherein the message length difference information is used to determine in the message flow described in message process The transformed transmission control protocol TCP sequence numbers of NAT, the expectation link information are converted for determining to pass through the NAT mode The data connection of the message flow and generation father and son's stream information, father and son's stream information are used to determine the message flow afterwards Father/sub- message flow.
12. master firewall according to claim 11, which is characterized in that the message length difference information of the message flow is The difference of message flow message length before and after by NAT conversions.
13. master firewall according to claim 11, which is characterized in that the expectation link information of the message flow includes institute State message flow by the NAT mode conversion before and after data connection port between matching relationship and for generating father and son The information of stream information.
14. according to claim 11 to 13 any one of them master firewall, which is characterized in that the sending module is specifically used In:The message flow flow table and NAT link informations are sent to by the slave firewall by dedicated link.
15. a kind of slave firewall, the slave firewall is operated under network address translation NAT mode, which is characterized in that including:
Receiving module, for receiving the flow table of message flow and NAT link informations of master firewall transmission,
Packet forwarding module, for forwarding the non-first message of the message flow according to the flow table and the NAT link informations;
The NAT link informations include message length difference information, the expectation link information of the message flow of the message flow With father and son's stream information of the message flow.
16. slave firewall according to claim 15, which is characterized in that the packet forwarding module is specifically used for:
If the message flow connects in order to control, the message flow is reduced according to the message length difference information of the message flow Transmission control TCP sequence number, according to the Transmission Control Protocol sequence number of the message flow according to the flow table and in the NAT connections Forward the non-first message of the message flow;
If the message flow is data connection, according to father and son's stream information determine the security strategy of the message flow with it is described The network interconnection Protocol IP address of message flow, according to it is described expectation link information determine the message flow port match relation and Father and son's stream information is generated, is established according to the port match relation of the flow table, the IP address of the message flow and the message flow The data connection, and forward the non-first message of the message flow.
17. slave firewall according to claim 16, which is characterized in that the message length difference information of the message flow is The difference of message flow message length before and after by NAT conversions.
18. slave firewall according to claim 16, which is characterized in that the expectation link information of the message flow includes institute State message flow by the NAT mode conversion before and after the data connection port matching relationship and for generating father and son The information of stream information.
19. slave firewall according to claim 16, which is characterized in that the packet forwarding module is specifically used for:
Determine father/subflow belonging to the message flow;
If the message flow is subflow, the security strategy flowed according to the father of the message flow determines the safe plan of the message flow Summary and IP address.
20. according to claim 15-19 any one of them slave firewalls, which is characterized in that receiving module is specifically used for:Pass through Dedicated link receives the flow table and NAT link informations of the message flow.
21. a kind of firewall system, it is characterised in that:Including one such as claim 11-14 any one of them master firewalls With at least one such as claim 15-20 any one of them slave firewalls, between the master firewall and the slave firewall The transmission of the flow table and NAT link informations of message flow is carried out by dedicated link.
CN201410784814.9A 2014-12-16 2014-12-16 Fire wall flow table backup method, fire wall and firewall system Active CN104506513B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410784814.9A CN104506513B (en) 2014-12-16 2014-12-16 Fire wall flow table backup method, fire wall and firewall system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410784814.9A CN104506513B (en) 2014-12-16 2014-12-16 Fire wall flow table backup method, fire wall and firewall system

Publications (2)

Publication Number Publication Date
CN104506513A CN104506513A (en) 2015-04-08
CN104506513B true CN104506513B (en) 2018-05-22

Family

ID=52948228

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410784814.9A Active CN104506513B (en) 2014-12-16 2014-12-16 Fire wall flow table backup method, fire wall and firewall system

Country Status (1)

Country Link
CN (1) CN104506513B (en)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107241208B (en) * 2016-03-29 2020-02-21 华为技术有限公司 Message forwarding method, first switch and related system
US10972384B2 (en) 2016-07-27 2021-04-06 New H3C Technologies Co., Ltd. Processing of data stream
CN107666402B (en) * 2016-07-27 2020-07-07 新华三技术有限公司 Network service control method and device
CN109474518B (en) * 2017-09-07 2021-08-20 华为技术有限公司 Method and device for forwarding message
CN107968827A (en) * 2017-11-29 2018-04-27 杭州迪普科技股份有限公司 A kind of session backup method and device based on multichannel agreement
CN109756498B (en) * 2019-01-04 2021-05-28 烽火通信科技股份有限公司 NAT ALG conversion method and system of TCP protocol on communication equipment
CN110138656B (en) * 2019-05-28 2022-03-01 新华三技术有限公司 Service processing method and device
CN110636151B (en) * 2019-10-25 2022-03-22 新华三信息安全技术有限公司 Message processing method and device, firewall and storage medium
CN110932983B (en) * 2019-12-04 2022-03-18 锐捷网络股份有限公司 TCP load balancing method, device, equipment and medium
CN113765858A (en) * 2020-06-05 2021-12-07 中创为(成都)量子通信技术有限公司 Method and device for realizing high-performance state firewall
CN114500062B (en) * 2022-01-30 2024-04-02 北京百度网讯科技有限公司 NAT traversal method and device, electronic equipment and storage medium
CN114793221B (en) * 2022-03-21 2024-02-09 新华三信息安全技术有限公司 NAT association table processing method and device
CN115150167B (en) * 2022-06-30 2024-03-12 北京天融信网络安全技术有限公司 Method and device for synchronous control, electronic equipment and computer readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7042876B1 (en) * 2000-09-12 2006-05-09 Cisco Technology, Inc. Stateful network address translation protocol implemented over a data network
CN101557317A (en) * 2009-05-26 2009-10-14 杭州华三通信技术有限公司 Active dialogue backup system, equipment and method in dual-server hot-backup network
CN102821036A (en) * 2012-04-20 2012-12-12 杭州华三通信技术有限公司 Method and device for achieving packet forwarding
CN102904818A (en) * 2012-09-27 2013-01-30 北京星网锐捷网络技术有限公司 Method and device for updating ARP (Address Resolution Protocol) information table

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8543678B2 (en) * 2012-01-03 2013-09-24 Alcatel Lucent Synchronization method for NAT static port forwarding objects in redundant configurations

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7042876B1 (en) * 2000-09-12 2006-05-09 Cisco Technology, Inc. Stateful network address translation protocol implemented over a data network
CN101557317A (en) * 2009-05-26 2009-10-14 杭州华三通信技术有限公司 Active dialogue backup system, equipment and method in dual-server hot-backup network
CN102821036A (en) * 2012-04-20 2012-12-12 杭州华三通信技术有限公司 Method and device for achieving packet forwarding
CN102904818A (en) * 2012-09-27 2013-01-30 北京星网锐捷网络技术有限公司 Method and device for updating ARP (Address Resolution Protocol) information table

Also Published As

Publication number Publication date
CN104506513A (en) 2015-04-08

Similar Documents

Publication Publication Date Title
CN104506513B (en) Fire wall flow table backup method, fire wall and firewall system
US9282057B2 (en) Flexible stacking port
CN101517981B (en) Multi-chassis emulated switch
CN102291455B (en) Distributed cluster processing system and message processing method thereof
CN101827039B (en) Method and equipment for load sharing
CN103200094A (en) Method for achieving gateway dynamic load distribution
CN107733795B (en) Ethernet virtual private network EVPN and public network intercommunication method and device
CN108092934A (en) Safety service system and method
CN106559246B (en) Cluster implementation method and server
US9401865B2 (en) Network appliance redundancy system, control apparatus, network appliance redundancy method and program
CN101257490A (en) Method and device for processing packet under fireproof wall side road mode
CN103139075B (en) A kind of message transmitting method and equipment
EP4033704A1 (en) Routing information transmission method and apparatus, and data center interconnection network
CN101562576B (en) Route distribution method and equipment thereof
CN103200117B (en) A kind of load-balancing method and device
US20120158992A1 (en) Group Member Detection Among Nodes of a Network
CN108833272A (en) A kind of route management method and device
CN109743316B (en) Data transmission method, exit router, firewall and double firewall systems
EP3429139B1 (en) Ingress gateway selection for a shortest path bridging network to support inter domain multicast routing
CN105141526B (en) The method and device of virtual network communication
CN101692654A (en) Method, system and equipment for HUB-Spoken networking
CN101917414B (en) BGP (Border Gateway Protocol) classification gateway device and method for realizing gateway function by using same
JP6062388B2 (en) COMMUNICATION SYSTEM, COMMUNICATION CONTROL METHOD, AND CONTROL DEVICE
CN107332793A (en) A kind of message forwarding method, relevant device and system
WO2021042674A1 (en) Method for configuring port state and network device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant